DCI Affirmation of Policy for Dealing with the General Accounting Office (GAO)

ACTION REQUESTED

1. I recommend that you affirm the policies set forth in paragraphs 7-22 below to guide the Intelligence Community's future dealings with GAO. Implementation of these policies will directly affect the manner in which GAO interacts with defense intelligence agencies. Therefore, I recommend that you discuss your decisions with John Deutch, Deputy Secretary of Defense, and ask his assistance in making appropriate changes to DOD regulations and policy documents. A future DCI/SecDef breakfast would be an appropriate forum for this discussion.

COORDINATION

2. My staff has coordinated this memorandum with representatives of NSA, DIA, CIO, NRO and DOD/C3I. Additionally, we have had several meetings with Keith Hall, Craig Wilson and Jerry Burke of C3I to discuss the impact of these proposed policies upon DOD equities. They fully agree with the approach and proposed recommendations discussed herein and will be briefing Dr. Deutch on the issues presented to you for decision. Finally, we recently met with Robert Stone of the Vice-President's NPR staff to ensure that the staff will be aware of and not object to our future handling of NPR matters vis-à-vis the GAO.

BACKGROUND

3. Representatives of the General Accounting Office regularly seek information or briefings from the CIA on a wide variety of topics. As I will discuss below, the Agency's policy for dealing with requests for CIA information is well-established, clear and understood (if not entirely accepted) by all concerned. Since the beginning of FY 1994, however, we have become aware of several other GAO investigations relating to the field of intelligence and primarily directed at defense agencies: (a) a self-initiated review of DOD's reorganization of defense intelligence activities (SASC is aware of and seems to endorse this review), (b) a self-initiated review of classified intelligence programs and funding, to include programs within NFIP and TIARA and special access programs, (c) a review of Third Party SIGINT agreements undertaken at Senator Byrd's (Chairman, SAC) request, and (d) a GAO request to review and discuss Intelligence Community implementation of NPR actions (part of a larger NPR review undertaken pursuant to requests from several committees). Copies of documents describing these GAO activities are attached at Tabs A-D. I should note that two of the surveys were self-initiated at the staff level of GAO.

4. GAO staffers conducting these surveys have been aggressive in seeking information both from the defense elements themselves and from CMS. GAO is specifically seeking access to, inter alia, the August 1993 Joint Program Guidance, FY 1995 CBJB's for the GDIP and CIOP, detailed status of and actions taken to implement Community NPR recommendations, and DCID's pertaining to SIGINT agreements. These types of documents are traditionally considered as being under DCI cognizance. DOD/C3I representatives have told GAO that requests for access to "materials under the exclusive cognizance of the DCI" must be referred to the DCI for resolution. DOD has also advised GAO that they can request access through any Congressional staff elements to which the documents have been provided. The GAO investigators are not pleased with C3I's response and continue to pressure DOD and CMS for access.

5. As mentioned previously, CMS, OCA and DOD/C3I representatives have had several meetings to discuss the burgeoning GAO access problem and to develop a coordinated strategy. DOD representatives believe that GAO is engaged in a concerted effort -- indeed, a "fishing expedition" -- to increase their institutional access to Intelligence Community information. From my perspective, I believe that assessment is accurate and that we should resist further GAO incursions into the way we do business.

6. We also understand that GAO representatives have met with key Committee staffers on the SASC (and perhaps the SSCI) to argue their need for access. For example, we recently learned that some SASC staffers were considering including language in the FY 1995 Defense Authorization Act broadening GAO access to the Intelligence Community and requiring that GAO be given access to CBJB's and related documents. (The bill and report which passed the Senate on 1 July do not contain any such language). In addition, we understand that GAO may be trying to persuade other senior officials to contact you concerning GAO access to NPR implementation issues. Because of the confluence of these events, it is important that you affirm your policies concerning GAO access and that we inform interested parties of your decision.

LEGAL BASES FOR GAO ACCESS

Policy Governing Access to CIA Information

7. The CIA's policy toward sharing information with the GAO has two components: (1) we provide briefings that convey the Agency's analytical conclusions on substantive issues relevant to ongoing GAO studies, but (2) we decline to answer inquiries tthat involve CIA programs, sources, or operational or analytical methodologies -- so-called "oversight" information. The GAO representatives we deal with understand and abide by this policy, although they assuredly dislike the resulting restriction of information. The CIA policy works quite well in practice, and GAO appreciates the information we do provide.

8. The legal bases for the CIA's policy derive from several statutes -- the National Security Act of 1947, the CIA Act of 1949, the GAO Act of 1980, and the Intelligence Oversight Act of 1980. In the early years of CIA, there were attempts by GAO to conduct CIA audits, but these efforts were abandoned by mutual agreement due to the constraints imposed by CIA. Specifically, CIA limited GAO access to CIA information under the DCI's authority to protect intelligence sources and methods pursuant to the National Security Act, and under the DCI's unvouchered funds expenditure authority contained in the CIA Act of 1949.

9. Under the GAO Act of 1980, the Comptroller General and GAO were given broad authority to audit, investigate and evaluate government programs, especially the receipt, disbursement and use of public money. 31 U.S.C. section 712. Under the Act, Congress may direct the GAO to conduct investigations, evaluate government programs, and make reports. 31 U.S.C. §712, 717. There are, however, two provisions of the Act which operate to exempt CIA "oversight" information from this broad grant of investigative and audit authority.

10. First, GAO's audit authority does not affect the DCI's authority under §8(b) of the CIA Act of 1949 to expend funds without regard to other fiscal laws and to account for expenditures solely on the certificate of the Director. 31 U.S.C. §3524. As previously indicated, CIA has traditionally interpreted this section as exempting the DCI's unvouchered funds from GAO audit. Second, GAO may not issue a subpoena or take civil action to obtain records denied by an agency, if the records relate to activities the President designates as foreign intelligence or counterintelligence activities. (Emphasis supplied) 31 U.S.C. §716. The legislative history cites Executive Order 12036, replaced by E.O. 12333, as the source of the President's designation. Obviously, by definition, the Agency's activities fall within the ambit of this provision, and the Agency has traditionally relied on this section to deny GAO oversight type information.

11. In addition, the CIA has consistently argued that the Intelligence Oversight Act (§501 of the National Security Act, 50 U.S.C. 413), vests oversight responsibilities in the intelligence Committees, not the GAO. Therefore, if we provided oversight type information to GAO, we would be derogating the Congressional intent behind section 501. Significantly, the DOJ Office of Legislative Affairs issued a letter opinion on June 26, 1989 relying on section 501 to deny GAO access to information relating to the Iran/Contra investigations:

"Moreover, it is our view that, when Congress seeks confidential intelligence information, Congress' intelligence committees, not GAO, are the exclusive means of access to such information."

Since GAO has no statutory power to compel production, they have no mechanism to enforce access.

12. In theory, all Intelligence Community agencies should be able to rely on 31 U.S.C. §716, combined with 50 U.S.C. 413, to deny GAO access to any records relating to foreign intelligence or counterintelligence activities. Indeed, DOD Directive 7650.1, §E.2, (a copy of this subsection is at Tab E) specifically provides that the DOD component head may deny access to such materials. The directive cautions, however, that "such information shall not be denied categorically to properly cleared GAO representatives having a need to know" and that "careful consideration must be exercised before denying GAO access....".

13. In practice, defense agencies do not adopt the "hard line" CIA approach but generally seek to cooperate with GAO representatives. Within NSA, DIA, NRO and CIO, the process for interacting with GAO varies greatly. DIA informs us that they have had a long history of dealing with GAO; however, most involvement is of a substantive, vice oversight, nature. Although the DIA/GAO relationship is very active, to our knowledge this is the first time GAO has sought access to GDIP CBJB's or funding documents for DIA activities.

14. NSA advises that the GAO maintains a team permanently in residence at NSA, resulting in nearly continuous contact between the two organizations. NSA's practice has been to cooperate with GAO audits and investigations to the extent possible in accordance with DOD regulations. This includes providing the GAO with documents requested, including CCP CBJB's as long as (1) the request was in support of a valid audit or investigation and (2) the recipients of the classified material had the requisite accesses and could meet security requirements for classified data control and storage. Documents provided in the past have included CCP CBJBs.

15. The NRO's dealings with GAO have been limited to cases of contract protests. NRO has not provided GAO access to CBJB's. CIO reports only two previous instances of contact, but is being tasked to respond to the current surveys. CIO will normally follow DOD guidance in dealing with GAO. C3I representatives inform that, as a matter of policy, DOD affords GAO unfettered access to TIARA materials and provides the GAO copies of TIARA CBJBs. All of these agencies believe that DCI and DOD guidance in this area, especially on the CBJB's issue, would be extremely helpful.

16. Until recently, the question of GAO access to DCI controlled, as opposed to CIA, materials had not been specifically considered. Agencies made their own decisions in granting access to materials such as CBJBs, DCIDs, and so forth, subject to DOD regulations. By letter dated December 13, 1993, Mr. Louis Rodrigues informed the DCI that GAO would request access to documentation for DOD programs within the NFIP. Significantly, however, GAO did not seek DCI approval or concurrence for such access. After consultations with OCA and DOD, the EXDIR/ICA concluded that such access would be inconsistent with the DCI's statutory authority to develop and present the NFIP budget, and with the oversight provisions of the National Security Act. Accordingly, by letter dated April 6, 1994 (attached at Tab F), Rich Haver informed GAO that we could not agree to such access. I encouraged Rich to take this stance, and I strongly recommend that you affirm this as your policy. I understand that GAO was quite upset by this decision and is choosing to ignore it while frantically reviewing the statutes to detect any legal flaws.

17. GAO representatives continue to press on several fronts for access to DCID's governing SIGINT relationships, joint guidance documents and for documentation of actions taken to implement NPR recommendations. We have not formally responded to these requests pending your review and decisions.

RECOMMENDATIONS

18. I believe that the current policy governing access to CIA information and Rich Haver's memorandum on access to CBJBs are reasoned, clear in execution, and fully supported by the law. I recommend that you formally endorse these policies. Further, many of the arguments underpinning these policies apply with equal force to other activities and documents under your direct operational control as Director of Central Intelligence, e.g. CMS and NIC activities, DCIDs, NPR implementations, and so forth. The reasoning also applies to documents you sign jointly with the Secretary of Defense, e.g. MOU governing NRO personnel security processing. In my view, allowing GAO access to these activities or documents is not consistent with your responsibility to protect intelligence sources and methods, erodes your ability to protect other sensitive information, and duplicates the oversight responsibilities of the Congress. I therefore recommend that you affirm the policy that documents or information concering these matters should not be generally shared with GAO.

19. Should you affirm this recommended policy, I believe we have a relatively bright line procedure for dealing with GAO. I do not recommend that you attempt to extend this policy to the execution, vice programmatic details of NFIP programs carried out by DOD components. For example, I think we can logically deny access to programmatic documents relating to GDIP's COBRA BALL, such as collection requirements and their translation into resource needs in the CBJB. However, I am unsure whether your authority would extend to documents or information concerning the operational details of each mission. An exercise of your authority in this area would inevitably put you into conflict with the Secretary of Defense and, potentially, with committees like SASC or HASC.

20. The issue of GAO access to NPR policy recommendations and implementation actions is a bit thornier because of some recent actions. Some time ago, CMS provided the NPR Staff with an unclassified status report on the 32 actions set forth in the unpublished NPR report on the Intelligence Community. The Vice-President's staff apparently provided these recommendations, along with many others across the Executive Branch, to GAO for consolidation, evaluation and monitoring of implementation. Indeed, these recommendations have been published in an unclassified summary of NPR actions. Subsequently, the GAO representative contacted Wayne Peal of CMS to request information on how the Community is implementing the NPR actions.

21. Robert Stone of the Vice-President's Office has stated that the Staff will not pressure us to provide anything to GAO. If we do provide unclassified information to the staff, however, they feel they must share it with GAO. I believe this compromise position affords us considerable latitude in this area. We will soon provide the staff with a status report on our implementation, and that report will be quite general in nature. I see no harm in the NPR staff providing that very general report to GAO. With your concurrence, we will not allow GAO access to detailed information underlying those actions, for example information on how we plan to implement the actions. Once again, this is a bright line we can follow.

22. If you ratify these recommendations, you should discuss your rationale with Secretary Perry or Deputy Secretary Deutch. We should notify all Intelligence Community agencies of your decisions, emphasizing that the policies do not sanction the denial of information to Congressional Committees. Indeed, we will continue to comply fully with any request from the Committees, be they SAC, HAC, SASC, HASC, SSCI or HPSCI. I should emphasize that these policies will not dramatically change intelligence agency dealings with GAO -- the major exception being NSA's practice of sharing CBJBs with GAO. Rather, the policies will provide a clear guideline for future interaction with GAO, a line that preserves your prerogatives as DCI.

RISKS

23. In my view, it is important to curtail growing GAO initiatives to investigate intelligence activities. At the same time, you should realize that there are risks in adopting the policies we have recommended. GAO will complain, indeed has already complained, to the Armed Services Committees that we have damaged their ability to complete the reviews. Further, GAO feels that if you are successful in denying them NFIP information in response to self-initiated surveys, they will have no legitimate role in intelligence matters, save as an investigative arm of a specific Congressional request. Accordingly, you can expect that they will resist vigorously. Nevertheless, our response to GAO should be clear and unambiguous: the DCI is exercising his statutory responsibilities and following the intent of Congress in vesting intelligence oversight in the intelligence committees. In other words, we will respond directly to appropriate committees of the Congress, but not through the GAO.

24. The Committees, who may not have the resources to conduct audits on their own, and sensitive to GAO protests, may hesitate to accept this procedure. To them, having GAO look at the issue may be the easy way out. Once again, our position should be that GAO "oversight" into the NFIP or into areas of DCI cognizance is flatly inconsistent with the mandate of the GAO Act and National Security Act. I and Rich can work with key staffers on the various committees, especially on the Senate side, to explain our reasons and to solicit their support.

CONCLUSION

25. I recommend you affirm the policies described above and individually listed below. If you concur, I will prepare, in coordination with Rich Haver, letters from you to the Secretary of Defense and NFIP Principals announcing these policies.

Continue CIA Policy on Dealing with GAO:

Approved [signed: R. James Woolsey]

Deny GAO Access to CBJB's and Related Documents:

Approved [signed: R. James Woolsey]

Source: CIA Hardcopy
Released by the House Committee on Government Reform, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, July 18, 2001
HTML by Steven Aftergood